Journal of Emerging Technologies in Web Intelligence, Vol 3, No 2 (2011), 154-167, May 2011
doi:10.4304/jetwi.3.2.154-167

Allocation Schemes, Architectures, and Policies for Collaborative Port Scanning Attacks

Yu Zhang, Bharat Bhargava

Abstract


Most network attackers perform port scanning individually, without synchronization, to find victim hosts. Such port scanning schemes suffer from two problems: first, there are too many duplicate scannings and too much contention among different port scanners; second, a complete port scanning takes a long time to finish. In this paper, we present a fast DHT-based collaborative port scanning scheme that aims to eliminate duplicate scanning, minimize contention, and significantly increase the scanning speed. In collaborative attacks, attackers communicate and collaborate with each other to launch much more powerful attacks. In the DHT-based collaborative port scanning scheme, attackers collaborate to search the network for ports that could be exposed to attacks. We propose different collaborative scanning strategies and analyze their advantages and disadvantages.We discuss the static, dynamic, and hybrid target selection and allocation schemes. We present the algorithm details and discuss the stop and revisit policy for the collaborative port scanners. We conduct experiments to evaluate the performance and overhead of the collaborative port scanning strategies. Experimental results suggest that the proposed collaborative port scanning system significantly increases the efficiency of port scanning and provide insights into many design and implementation issues.


Keywords


Port Scan, Collaboration, Network Security

References


 

[1] http://nmap.org/book/man-performance.html

[2] F. Chang, J. Dean, S. Ghemawat, W. Hsieh, D. Wallach, M. Burrows, T. Chandra, A. Fikes, and R. Gruber. Bigtable: A Distributed Storage System for Structured Data. In Proc. of the 7th Symposium on Operating System Design and Implementation, 2006.

[3] G. DeCandia, D. Hastorun, M. Jampani, G. Kakulapati, A. Lakshman, A. Pilchin, S. Sivasubramanian, P. Vosshall, W. Vogels, Dynamo: amazon’s highly available key-value store, Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles, October, 2007

[4] Burton H. Bloom, Space/Time Trade-offs in Hash Coding with Allowable Errors, Communications of the ACM, Vol.13, 1970

[5] Y. Zhang and B. Bhargava, The Effects of Threading, Infection Time, and Multiple-Attacker Collaboration on Malware Propagation, The 28th IEEE International Symposium on Reliable Distributed Systems (SRDS 2009), September, 2009. Niagara Falls, New York, U.S.A

[6] S. Sarat, A. Terzis, Measuring the Storm Worm Network. Technical Report 01-10-2007, http://hinrg.cs.jhu.edu/uploads/Main/STORMTR.pdf

[7] C.Kanich, K.Levchenko, B.Enright, G.M.Voelker and S.Savage, The Heisenbot Uncertainty Problem: Challenges in Separating Bots from Chaff, Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), San Franciso, CA, April 2008

[8] Kademlia Specification http://xlattice.sourceforge.net/components/protocol/kademlia/specs.html

[9] M. Walfish, M. Vutukuru, H. Balakrishnan, D. Karger, and S. Shenker, DDoS Defense by Offense, ACM SIGCOMM 2006, Pisa, Italy, September 2006

[10] Z. Chen, L. Gao, and K. Kwiat, Modeling the Spread of Active Worms, IEEE INFOCOM 2003

[11] http://www.caida.org/research/security/witty/, last accessed Apr 20, 2008

[12] J. Yang. ”Fast Worm Propagation in IPv6 Networks” http://www.cs.virginia.edu/jy8y/publications/cs85104.pdf

[13] http://en.wikipedia.org/wiki/List of TCP and UDP port numbers

[14] S. Staniford, V. Paxson and N. Weaver. ”How to Own the Internet in Your Spare Time” In Proceedings of the 11th USENIX Security Symposium, August 2002

[15] J. Ma, G. Voelker and S. Savage, Self-stopping Worms, Proceedings of the ACM Workshop on Rapid Malcode (WORM), Washington D.C., November 2005. doi:10.1145/1103626.1103630
http://dx.doi.org/10.1145/1103626.1103630

[16] R. Vogt, J. Aycock, and M. Jacobson, Jr. Quorum Sensing and Self- Stopping Worms. Proceedings of the 5th ACM Workshop on Recurring Malcode (WORM 2007), Alexandria, VA, November,2007. doi:10.1145/1314389.1314394
http://dx.doi.org/10.1145/1314389.1314394

[17] Detecting and Recovering from a Virus Incident http://www.sans.org/readingroom/whitepapers/malicious/903.php

[18] D. Dagon, G. Gu, C. Lee, and W. Lee. ”A Taxonomy of Botnet Structures.” In Proceedings of the 23 Annual Computer Security Applications Conference (ACSAC’07), Miami Beach, FL, December 2007.

[19] G. Gu, J. Zhang, and W. Lee. ”BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic.” In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08), San Diego, CA, February 2008 PMCid:2376058

[20] B. Wiley, Curious Yellow: The First Coordinated Worm Design, http://blanu.net/curiousyellow.html, Accessed Apr 20, 2008

[21] Z. Chen and C. Ji, A Self-Learning Worm Using Importance Scanning, ACM CCS Workshop on Rapid Malcode (WORM05), 2005

[22] C. Zou, D. Towsley, and W. Gong. ”On the Performance of Internet Worm Scanning Strategies,” Elsevier Journal of Performance Evaluation, July 2006

[23] Z. Chen and C. Ji, Optimal Worm-Scanning Method Using Vulnerable- Host Distributions International Journal of Security and Networks: Special Issue on Computer and Network Security, vol. 2, 2007

[24] J. Wu, S. Vangala, L. Gao, and K. Kwiat, An Effective Architecture and Algorithm for Detecting Worms with Various Scan Techniques, Network and Distributed System Security Symposium 2004

[25] J. Twycoss, M. Williamson: Implementing and Testing a Virus Throttle. In: Proceedings. 12th USENIX Security Symposium, Washington, 2003

[26] M. Vivo, E. Carrasco, G. Isern, G. Vivo, A review of port scanning techniques, ACM Computer Communications Review,Volume 29, Apr. 1999

[27] A. Voyiatzis, D. Serpanos: Pulse: A Class of Super-Worms against Network Infrastructure. ICDCS Workshops 2003

[28] M. Ruiz-Sanchez, E. Biersack, and W. Dabbous, ”Survey and taxonomy of ip address lookup algorithms,” IEEE Network Magazine,vol.15,Mar.- Apr. 2001

[29] J. Jung, V. Paxson, A. Berger, and J.Balakrishnan, Fast Portscan Detection Using Sequential Hypothesis Testing, In Proc. of the IEEE Symposium on Security and Privacy, May 2004 doi:10.1109/SECPRI.2004.1301325
http://dx.doi.org/10.1109/SECPRI.2004.1301325

[30] S. Staniford, J. Hoagland, J. McAlerney: Practical Automated Detection of Stealthy Portscans. Journal of Computer Security 10(1/2), 2002

[31] S. Bellovin, B. Cheswick, A. Keromytis. Worm propagation strategies in an IPv6 Internet. http://www.cs.columbia.edu/smb/papers/v6worms.pdf, LOGIN, Vol 31. No.1.

[32] P. Wang, S. Sparks, C. Zou. ”An Advanced Hybrid Peer-to-Peer Botnet”, preprint, IEEE Transactions on Dependable and Secure Computing, 2009

[33] A. Wagner, T. Dubendorfer, B. Plattner, R. Hiestand, Experiences with Worm Propagation Simulations ACM Workshop on Rapid Malcode (WORM), 2003

[34] M. Vojnovic, V.Gupta, T.Karagiannis, and C.Gkantsidis, Sampling Strategies for Epidemic-Style Information Dissemination, IEEE Infocom, 2008

[35] A. Kamra, H. Feng, V. Misra and A. Keromytis, The Effect of DNS Delays on Worm Propagation in an IPv6 Internet, Proceedings of IEEE Infocom, IEEE, Miami, FL, USA, 2005.

[36] A. Kumar, V. Paxson, N. Weaver, Exploiting Underlying Structure for Detailed Reconstruction of an Internet-scale Event. In the proceedings of ACM IMC, New Orleans, LA, Oct 2005.

[37] C. Gates, Co-ordinated Port Scans: A Model, A Detector and An Evaluation Methodology. PhD Thesis. Dalhousie University. Feb., 2006

[38] S. Friedl, Analysis of the new ”Code Red II” Variant, http://www.unixwiz.net/techtips/CodeRedII.html, Last Accesses Apr 15, 2008

[39] C. Zou, W. Gong, D. Towsley. ”Code Red Worm Propagation Modeling and Analysis,” 9th ACM Conference on Computer and Communication Security (CCS’02), Nov. 18-22, Washington DC, USA, 2002

[40] D. Moore, C. Shannon, and J. Brown. Code-Red: a case study on the spread and victims of an Internet Worm. In Proc. ACM/USENIX Internet Measurement Workshop, France, November, 2002

[41] H. Balakrishnan, M.Kaashoek, D.Karger, R.Morris, and I.Stoica. Looking up data in P2P systems. In Communications of the ACM, February 2003.

[42] J. Cho, H. Garcia-Molina ”Effective page refresh policies for Web crawlers.” ACM Transactions on Database Systems, 28(4): December 2003.
http://dx.doi.org/10.1145/958942.958945

[43] http://www.bittorrent.com/

[44] http://www.emule-project.net/

[45] S. Rhea, B. Godfrey, B. Karp, J. Kubiatowicz, S. Ratnasamy, S. Shenker, I. Stoica, and H. Yu. OpenDHT: A Public DHT Service and Its Uses. Proceedings of ACM SIGCOMM 2005, August 2005.

[46] Strange Attractors and TCP/IP Sequence Number Analysis - One Year Later, http://www.iu.hio.no/haugerud/


Full Text: PDF


Journal of Emerging Technologies in Web Intelligence (JETWI, ISSN 1798-0461)

Copyright @ 2006-2012 by ACADEMY PUBLISHER – All rights reserved.